Difference between revisions of "First-hop security IPv6 Cisco IOS"
From Teknologisk videncenter
m (→Links) |
m (added Category:IPv6 Security using HotCat) |
||
(9 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{in progress}} | {{in progress}} | ||
+ | =IPv6 RA Guard= | ||
+ | IPv6 Router Advertisement Guard. <ref>http://tools.ietf.org/html/rfcdraft-ietf-v6ops-ra-guard-04</ref> | ||
+ | |||
+ | IPv6 RA guard provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link. | ||
+ | ==RA Guard on Routers== | ||
+ | ===From IOS 12.2(33)SXI4 to 12.2(54)SG=== | ||
+ | <source lang=cli> | ||
+ | R1(config)#<input>int fa0/1</input> | ||
+ | R1(config-if)<input>ipv6 nd raguard</input> | ||
+ | </source> | ||
+ | ===From IOS 12.2(54)SG=== | ||
+ | <source lang=cli> | ||
+ | R1(config)#<input>int fa0/1</input> | ||
+ | R1(config-if)<input>ipv6 nd raguard policy policy1</input> | ||
+ | R1(config-ra-guard)# | ||
+ | </source> | ||
+ | ==RA Guard on switches== | ||
+ | <source lang=cli> | ||
+ | SW1(config)#<input>ipv6 access-list BlockRA</input> | ||
+ | SW1(config-acl)#<input>deny icmp any any router-advertisement</input> | ||
+ | SW1(config-acl)#<input>permit ipv6 any any</input> | ||
+ | SW1(config-acl)#<input>exit</input> | ||
+ | SW1(config)#<input>interface range GigabitEthernet0/1 - 24</input> | ||
+ | SW1(config)#<input>ipv6 traffic-filter BlockRA in</input> | ||
+ | </source> | ||
+ | |||
+ | =Blocking Rouge DHCPv6 Servers= | ||
+ | To block the unwanted DHCPv6 servers. | ||
+ | <source lang=cli> | ||
+ | SW1(config)#<input>ipv6 access-list BlockDHCPv6</input> | ||
+ | SW1(config-acl)#<input>deny udp any eq 546</input> | ||
+ | SW1(config-acl)#<input>permit ipv6 any any</input> | ||
+ | SW1(config-acl)#<input>exit</input> | ||
+ | SW1(config)#<input>interface range GigabitEthernet0/1 - 24</input> | ||
+ | SW1(config)#<input>ipv6 traffic-filter BlockDHCPv6 in</input> | ||
+ | </source> | ||
+ | |||
=Unicast Reverse Path Forwarding= | =Unicast Reverse Path Forwarding= | ||
To avoid spoofed packets passing a Router. Could be DoS attack. With RPF - reverse Path Forwarding - the router checks that the sending hosts source IP address matches the routing table on the receiving interface. | To avoid spoofed packets passing a Router. Could be DoS attack. With RPF - reverse Path Forwarding - the router checks that the sending hosts source IP address matches the routing table on the receiving interface. | ||
Line 10: | Line 47: | ||
=Links= | =Links= | ||
*[http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security_ps10591_TSD_Products_Configuration_Guide_Chapter.html Cisco Ipv6 first-hop security] | *[http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security_ps10591_TSD_Products_Configuration_Guide_Chapter.html Cisco Ipv6 first-hop security] | ||
+ | =References= | ||
+ | <references/> | ||
{{Source cli}} | {{Source cli}} | ||
− | [[Category:IPv6 | + | |
+ | [[Category:IPv6 Security]] |
Latest revision as of 11:42, 21 May 2014
IPv6 RA Guard
IPv6 Router Advertisement Guard. [1]
IPv6 RA guard provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform. RAs are used by routers to announce themselves on the link.
RA Guard on Routers
From IOS 12.2(33)SXI4 to 12.2(54)SG
R1(config)#<input>int fa0/1</input>
R1(config-if)<input>ipv6 nd raguard</input>
From IOS 12.2(54)SG
R1(config)#<input>int fa0/1</input>
R1(config-if)<input>ipv6 nd raguard policy policy1</input>
R1(config-ra-guard)#
RA Guard on switches
SW1(config)#<input>ipv6 access-list BlockRA</input>
SW1(config-acl)#<input>deny icmp any any router-advertisement</input>
SW1(config-acl)#<input>permit ipv6 any any</input>
SW1(config-acl)#<input>exit</input>
SW1(config)#<input>interface range GigabitEthernet0/1 - 24</input>
SW1(config)#<input>ipv6 traffic-filter BlockRA in</input>
Blocking Rouge DHCPv6 Servers
To block the unwanted DHCPv6 servers.
SW1(config)#<input>ipv6 access-list BlockDHCPv6</input>
SW1(config-acl)#<input>deny udp any eq 546</input>
SW1(config-acl)#<input>permit ipv6 any any</input>
SW1(config-acl)#<input>exit</input>
SW1(config)#<input>interface range GigabitEthernet0/1 - 24</input>
SW1(config)#<input>ipv6 traffic-filter BlockDHCPv6 in</input>
Unicast Reverse Path Forwarding
To avoid spoofed packets passing a Router. Could be DoS attack. With RPF - reverse Path Forwarding - the router checks that the sending hosts source IP address matches the routing table on the receiving interface.
- Example
- An access-list can be used as an option to this command
R1(config)#<input>interface fa0/1</input>
R1(config-if)#<input>ipv6 verify unicast reverse-path</input>